PRACTICAL TIPS FOR Z/OS VULNERABILITY SCANNING & PROACTIVE SECURITY MANAGEMENT
|
|
- Theodore Nash
- 8 years ago
- Views:
Transcription
1 1 PRACTICAL TIPS FOR Z/OS VULNERABILITY SCANNING & PROACTIVE SECURITY MANAGEMENT Key Resources, Inc. (312) KRI
2 2 Ray Overby SKK - ACF2 Developer ( ) Key Resources, Inc. incorporated 1988 Systems Programming Security Audit and Reviews Security Product Development Developed ESM Conversion and Merge products Consulting & Development for RACF add-on ISV Developed Automated Penetration Testing product z/os Internals & Security expert
3 3 Overview Real World Experiences: 1. A Terrorist Threat 2. An Unexpected Client Request 3. Recent RACF-L Conversations 3
4 4 First Example - Terrorist Threat August 1998, somewhere on the West Coast... Large Municipal Government entity MVS System ACF2 was the ESM Threat phoned in to take down the MVS system Client requested assessment to determine vulnerability 4
5 5 Terrorist Threat The following was reviewed: Hardware Setup IPL and subsystem startup parameters ESM Configuration Policies and Procedures for maintaining and upgrading system's System Exits Nothing obvious turned up Penetration testing was the next step
6 6 Terrorist Threat Design penetration test cases: Focused on System Datasets Created a list: LINLIST, LPALIB, APF list,. IPL parameter datasets Subsystem startup datasets Created a list of low level users of the system. Ran ESM reports reviewing access to the list of files. Smoking gun not found. 6
7 7 Terrorist Threat Implement Pen Tests: Test cases tried to updated the files in the list. Ran with the authority from the list of test users. These tests identified the ability to update certain system datasets. This caused re-examination of ESM global options. Finally located root cause of the error. Security for certain DASD volumes was done at volume level bypassing security at the dataset level. One of the volumes was the system residence volume. 7
8 8 Terrorist Threat What did assessment uncover? Threat was credible. ESM configuration changes were recommended. Re-tested after the changes using penetration tests. Client considered assignment successfully completed. 8
9 9 Terrorist Threat Tips: Make sure you understand the impact of the changes you make on the system. Error might have been identified in test phase or very early on in production if penetration testing had been a standard quality assurance process. No real tools exist so you have to be creative (sticky tape and string). You can not cover everything - start small and work your way up. Identify critical assets (ex - system vs. application datasets). 9
10 10 Second Example - System Integrity Exploitation 2005; Somewhere on the Eastern Seaboard z/os 1.6 Large Financial Corporation Assignment: Bypass z/os Installation Controls Client never disclosed why they needed external review We were asked to focus on system integrity 10
11 11 System Integrity Exploitation 1st day on site (after fingerprinting and background checks), before TSO userids were available. Explored the system using sponsors TSO session. MXI CBT Shareware program was installed (files ). Good practice to see what system exits were in place (SYSX DYNX). Check out cool MXI command GQE. List allocated common storage (requires storage tracking) by SP and storage key. Large amount of CSA Key 8 storage allocated on system 11
12 12 System Integrity Exploitation MXI GQE output showed some Key 8 CSA might be a SMF exit. Verified Key 8 storage was actually a SMF IEFUJI exit. Turns out ISV had loaded SMF Exit IEFUJI exit into CSA Key 8. Informed client an exploitable integrity vulnerability found. Client s Senior Systems programmer did not believe it was possible to exploit a vulnerability in z/os. Vulnerability exploit written in REXX. REXX exec dynamically elevated user authority set RACF Privileged attribute for a TSO user allowed access to most, if not all RACF protected resources. REXX exec could have crashed the system. The exploit written for this vulnerability could have been used to compromise all data on the system (i.e. financial assets). 12
13 13 System Integrity Exploitation ESM is not capable of stopping, monitoring, or reporting on this type of vulnerability Compliance violation for every compliance regulation there is! To his credit client systems programmer accepted the evidence. Systems programmer admitted that this type of activity was beyond his level of expertise. He was a very experienced systems programmer. 13
14 14 System Integrity Exploitation Comments: Installation had some sort of loss. No details ever shared. Conspiracy of Silence If we don't talk about it, it did not happen and it can't hurt us. Installations do not have the expertise to perform integrity assessments. In general, sr. systems programmers do not have the same skillsets as those from 10 years ago. It is a matter of when, not if, Key 8 common storage will be compromised and used in a vulnerability exploit. For those that don't think this is an issue, they are putting their companies at risk. Eliminating Key 8 common storage on your system removes an attack vector for a hacker. Common criteria labs will treat any Key 8 common storage as an exploitable vulnerability. 14
15 15 System Integrity Exploitation Comments: There is an IPL parameter in DIAGxx (ALLOWUSERKEYCSA) that controls the ability to allocate Key 8 common storage. This ALLOWUSERKEYCSA setting can be changed dynamically via SET DIAG=xx operator command. Code has been located in the "wild" to change the ALLOWUSERKEYCSA setting dynamically (if off turn on, perform the Key 8 CSA allocation, then turn back off). ISVs are aware of the Key 8 CSA issue and most have been moving to eliminate any common storage user key usage. IBM recommends that you not specify ALLOWUSERKEYCSA(YES) as user key CSA creates a security risk as any unauthorized program can modify it. 15
16 16 System Integrity Exploitation Tips: Update your security policy to indicate that no Key 8 CSA memory usage is allowed. DIAGxx Parmlib setting at IPL should be ALLOWUSERKEYCSA(NO). Migration of ISV or installation code to newer version may be required. Check with your ISV or your installation developers. Do not allow dynamic changing of the ALLOWUSERKEYCSA setting ISV or installation written programs may need to be upgraded. You must still monitor Key 8 CSA storage allocation. Identify any abusers and remediate them. Any ISV that does not, should be replaced. 16
17 17 Third Example - A RACF L posting We have a storage area that we obtain at the first CICS address space start up. The area is referenced by all CICS regions - but only a couple do any actual updating. The code we use for this is
18 18 A RACF L posting LA R1,SVCSAVE HOLD AREA FOR SVC 255 SVC 255 GET INTO SUP. STATE WITH KEY 0 STORAGE OBTAIN,LENGTH=20480,SP=241,KEY=9 ST R1,MVSCSADR STORE AREA ADDR. IN CSAEXT IC R11,=X'80' SPKA 0(R11) CHANGE TO KEY 8 CICS MODESET MODE=PROB SWITCH TO PROBLEM STATE 18
19 19 A RACF L posting Vulnerabilities May Be Added By well meaning Systems Programmers: Who need a specific function Who did not understand the implications Who have long since left or retired Removal will likely require re-designing or eliminating the function. 19
20 20 A RACF L posting Tips: Remove magic SVCs or other authorization mechanisms that can compromise your system. Redesign the function Function must be accomplished in a manner that does not compromise system integrity. 20
21 21 A RACF L posting - ESM Configuration Exploit RACF L (late Sept/early Oct 2012) Discussion labeled "Mysterious Dataset Access? Access was allowed to a dataset and it should not have been Dataset contained sensitive information Breach was reported by company employee 21
22 22 A RACF L posting - ESM Configuration Exploit ADDSD 'SYS9.RACF.*.**' UACC(NONE) OWNER(SYS9) PERMIT 'SYS9.RACF.*.**' ID(SYSADM) ACCESS(ALTER) PERMIT 'SYS9.RACF.*.**' ID(SYSPRG) ACCESS(ALTER) ADDSD 'SYS9.*.**' UACC(READ) OWNER(SYS9) PERMIT 'SYS9.*.**' ID(SYSADM) ACCESS(ALTER) PERMIT 'SYS9.*.**' ID(SYSPRG) ACCESS(ALTER) PERMIT SYS9.*.** ID(APPLGRP) ACCESS(READ) RALT GLOBAL DATASET ADDMEM('SYS9.RACF.*.**'/NONE) RALT GLOBAL DATASET ADDMEM('SYS9.*.**'/READ) SETR GLOBAL(DATASET) REFRESH 22
23 23 A RACF L posting - ESM Configuration Exploit An "undercutting" global entry 'SYS9.RACF.*.**'/NONE should have caused RACF to look at the SYS9.RACF.*.** DATASET profile for access. SYS9.RACF.*.** DATASET profile would deny access. If undercutting Global entry removed, then READ access would have been allowed. If undercutting Global entry added but refresh not done, would still allow access. Based on posts on RACF L the previous two bullet items are the likely cause of the problem. 23
24 24 A RACF L posting - ESM Configuration Exploit Comments: It is likely that these types of problems are reported from time to time. When reported, you react by performing root cause analysis and fixing the error. Depending upon the sensitivity of the protected asset, that may not be enough. Penetration testing could have identified this problem very early in its existence. Not performing penetration testing will put your company at risk. Compliance standards call for continuous monitoring. Penetration testing can be used to, at least partially, cover this requirement. 24
25 25 A RACF L posting - ESM Configuration Exploit You can use the following to test READ access to datasets Requires RACF SURROGATE to be implemented Replace with Valid job card + USER=execution userid //CHECKIT EXEC PGM=IEBGENER //SYSIN DD DUMMY //SYSPRINT DD SYSOUT=* //SYSUT1 DD DISP=SHR,DSN=SYS9.RACF.REC102 //SYSUT2 DD DUMMY // 25
26 26 A RACF L posting - ESM Configuration Exploit Tips: Verify the changes you make perform what you are trying to do Create a set of test case's to verify changes work Verify the changes you make don t have unintended consequences Create a set of test cases to verify no unintended consequences 26
27 27 In Summary Penetration testing can be helpful in: Verifying that ESM changes actually work Do not create unintended consequences A robust set of penetration tests can help eliminate ESM based vulnerabilities (proactive instead of reactive). Penetration testing is obligatory by all compliance guidelines. 27
28 28 Questions? Key Resources, Inc. (312) KRI
z/os VULNERABILITY SCANNING AND MANAGEMENT Key Resources, Inc. ray.overby@kr-inc.com (312) KRI-0007 www.kr-inc.com
1 z/os VULNERABILITY SCANNING AND MANAGEMENT Key Resources, Inc. ray.overby@kr-inc.com (312) KRI-0007 www.kr-inc.com 2 Ray Overby SKK - ACF2 Developer (1981-1988) Key Resources, Inc. incorporated in 1988
More informationAgenda. z/os Ethical Hacking Vulnerability Scanning & Pen Testing. Mark Wilson RSM Partners. Session Number: 12275. l Disclaimer.
z/os Ethical Hacking Vulnerability Scanning & Pen Testing Mark Wilson RSM Partners Session Number: 12275 Agenda l Disclaimer l Introduction l Objectives l Mainframe Hacking Fact or Fiction? l Penetration
More informationMark Wilson markw@rsmpartners.com Session Details: The Introduction
Everything you wanted to know about mainframe security, pen testing and vulnerability scanning.. But were too afraid to ask! Mark Wilson markw@rsmpartners.com Session Details: The Introduction Agenda Introduction
More informationOur Vulnerability Scanning Program
Our Vulnerability Scanning Program INTERACTIVE CODE SCANNING KRI s z/os Interactive Code Scanning strengthens an organizations enterprise security by: Providing Interactive Application Security Testing
More information21 Things You Didn t Used to Know About RACF
21 Things You Didn t Used to Know About RACF (A Technical Update for IT Auditors) Stuart Henderson The Henderson Group (301) 229-7187 1 Here Are 21 Things Auditors Should Know About RACF One Person s Opinion,
More informationBeyond the Software Life Cycle
Beyond the Software Life Cycle CA-Endevor Facilitates Ad-hoc Job Processing Southern CA Endevor User Group June 2008 Rose A. Sakach Endevor Practice Leader - RSH Consulting, Inc. R.Sakach@RSHConsulting.com
More informationThe Advantages Of External Security For DB2 And The Migration Towards RACF. Kurt Struyf, infocura
The Advantages Of External Security For DB2 And The Migration Towards RACF Kurt Struyf, infocura 0 Agenda The need for better data security What does DB2 offer? Why externalizing security? Why RACF? How
More informationSecond Edition (May 1984)
5C28-1342-1 File No. 5370-40 Program Product Resource Access Control Facility (RACF) Auditor's Guide Program Number 5740-XXH Version 1, Release 6 ---- - ----- - - - --- -- ------ -. - Second Edition (May
More informationHow to Secure Mainframe FTP
How to Secure Mainframe FTP Stu Henderson (301) 229-7187 stu@stuhenderson.com Scott Myers (408) 973-8374 scott@softwareassist.net 1 AGENDA I. Introduction II. III. IV. How Mainframe FTP is Different Mainframe
More informationSystem Change Management - A Key to Success
Position Paper: Keys to Effective Systems Change Management Executive Overview The Institute of Internal Auditors, in its guide to Section 404 of the Sarbanes- Oxley Act, states that IT general controls
More informationUtility Mainframe System Administration Training Curriculum
Utility Mainframe System Administration Training Curriculum MVS SYSTEM ADMINISTRATION MVS SYSTEM ADMINISTRATION- LEVEL 1 TO 1.5 Name of the Module Common for All Administration LSO TSO/ISPF JCL & UTILITIES
More informationCA Auditor for z/os. System Review Checklist. r12. Second Edition
CA Auditor for z/os System Review Checklist r12 Second Edition This documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationCompiler Forecast: Cloudy with. Cloud Computing for your z/os compilers
Compiler Forecast: Cloudy with a Chance of Savings Cloud Computing for your z/os compilers Speaker Bio Charles Mills is the Chief Development Officer of Cloud Compiling, LLC Mills was the founder of FiresignComputer
More informationCA OPS /MVS Event Management and Automation
CA OPS /MVS Event Management and Automation Security Guide Release 12.1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the
More informationUtilization of Hostsystem s Cross Sysplex Manager in the Swisscom IT Services. GSE z/os Expertenforum Brienz, May 2005 Thomas Ruh
Utilization of Hostsystem s Cross Sysplex Manager in the Swisscom IT Services GSE z/os Expertenforum Brienz, May 2005 Thomas Ruh Agenda Projects of consolidation Shared Dasd environment complex of problems
More information5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council
Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council 5.5 For the Year Ended December 31, 2013 Penetration Tests 5.5. Penetration Tests Table
More informationWhite paper September 2009. Realizing business value with mainframe security management
White paper September 2009 Realizing business value with mainframe security management Page 2 Contents 2 Executive summary 2 Meeting today s security challenges 3 Addressing risks in the mainframe environment
More informationCA OPS /MVS Event Management and Automation
CA OPS /MVS Event Management and Automation Security Guide Release 12.0 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationSMF Digital Signatures in z/os 2.2. Anthony Sofia (atsofia@us.ibm.com) Software Engineer at IBM August 14 th 2015
SMF Digital Signatures in z/os 2.2 Anthony Sofia (atsofia@us.ibm.com) Software Engineer at IBM August 14 th 2015 Agenda What is a digital signature? How digital signatures enhance SMF data Configuration
More informationRACF & Payment Card Industry (PCI) Data Security Standards RUGONE May 2012
RACF & Payment Card Industry (PCI) Data Security Standards Robert S. Hansel Lead RACF Consultant R.Hansel@rshconsulting.com 617 969 9050 Robert S. Hansel Robert S. Hansel is Lead RACF Specialist and founder
More informationz/os Performance Monitoring Tools Shoot-Out: ASG, BMC, CA, Rocket
z/os Performance Monitoring Tools Shoot-Out: ASG, BMC, CA, Rocket Gary Henderson ASG (Allen Systems Group) 1 March 2011, 9:30 AM-10:30 AM Session Number 8695 Installation and Maintenance Installation and
More informationProgram Directory for IBM Tivoli License Compliance Manager for z/os V3.2.0. Program Number 5698-A80 FMID HAUD320.
IBM Program Directory for IBM Tivoli License Compliance Manager for z/os V3.2.0 Program Number 5698-A80 FMID HAUD320 for Use with z/os Document Date: JULY 2005 GI11-4089-00 Note! Before using this information
More informationCA Tape Encryption Key Manager
PRODUCT BRIEF: CA TAPE ENCRYPTION KEY MANAGER Manager CA TAPE ENCRYPTION KEY MANAGER IS THE FIRST z/os-based, SOFTWARE TAPE ENCRYPTION KEY SOLUTION THAT CONSOLIDATES AND UNIFIES MANAGEMENT ACROSS MULTIPLE
More informationCICS Transactions Measurement with no Pain
CICS Transactions Measurement with no Pain Prepared by Luiz Eduardo Gazola 4bears - Optimize Software, Brazil December 6 10, 2010 Orlando, Florida USA This paper presents a new approach for measuring CICS
More informationThe Security Gap. Philip Young aka Soldier of Fortran @mainframed767
The Security Gap Philip Young aka Soldier of Fortran @mainframed767 DISCLAIMER All research was done under personal time. I am not here in the name of, or on behalf of, my employer. Any views expressed
More informationNew Security Options in DB2 for z/os Release 9 and 10
New Security Options in DB2 for z/os Release 9 and 10 IBM has added several security improvements for DB2 (IBM s mainframe strategic database software) in these releases. Both Data Security Officers and
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationfuture data and infrastructure
White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal
More informationHigh Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe
2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information
More informationProtecting against cyber threats and security breaches
Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So
More informationBit Bucket x 2Bx. SHARE 119 Session 11702 Anaheim, CA 10 August 2012
Bit Bucket x 2Bx 2B Ed Jaffe, edjaffe@phoenixsoftware.com Tom Conley, pinncons@rochester.rr.com Sam Knutson, SKnutson@geico.com Skip Robinson, robinsjo@sce.com SHARE 119 Session 11702 Anaheim, CA 10 August
More informationENTERPRISE INFORMATION SECURITY
ANNUAL PLANNING TO OPTIMIZE ENTERPRISE INFORMATION SECURITY 60 Commerce Street, Suite 1100 Montgomery, AL 36104 USA www.icsinc.com T: 877.ICS.INC9 / 334.270.2892 F: 334.270.2896 info@icsinc.com A vital
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationCA JCLCheck Workload Automation
PRODUCT SHEET CA JCLCheck Workload Automation CA JCLCheck Workload Automation CA JCLCheck Workload Automation (CA JCLCheck WA) validates z/os JCL before it is submitted for execution. CA JCLCheck WA helps
More informationIMS Disaster Recovery
IMS Disaster Recovery Part 1 Understanding the Issues February 5, 2008 Author Bill Keene has almost four decades of IMS experience and is recognized world wide as an expert in IMS recovery and availability.
More informationAutomated Underwriting: Threat or Opportunity? Jason Bowman, Head of Accelerated Underwriting, NA Dan Drabik, Senior Magnum Consultant
Automated Underwriting: Threat or Opportunity? Jason Bowman, Head of Accelerated Underwriting, NA Dan Drabik, Senior Magnum Consultant Introduction The pace of change Ever feel overwhelmed by the pace
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationIBM InfoSphere Guardium for DB2 on z/os Technical Deep Dive
IBM InfoSphere Guardium for DB2 on z/os Technical Deep Dive One of a series of InfoSphere Guardium Technical Talks Ernie Mancill Executive IT Specialist Logistics This tech talk is being recorded. If you
More informationCautela Labs Cloud Agile. Secured.
Cautela Labs Cloud Agile. Secured. Vulnerability Management Scanning and Assessment Service Vulnerability Management Services New network, application and database vulnerabilities emerge every day. Because
More information5 Simple Steps to Secure Database Development
E-Guide 5 Simple Steps to Secure Database Development Databases and the information they hold are always an attractive target for hackers looking to exploit weaknesses in database applications. This expert
More informationAssuring Application Security: Deploying Code that Keeps Data Safe
Assuring Application Security: Deploying Code that Keeps Data Safe Assuring Application Security: Deploying Code that Keeps Data Safe 2 Introduction There s an app for that has become the mantra of users,
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationCA Compliance Manager for z/os
PRODUCT SHEET CA Compliance Manager for z/os CA Compliance Manager for z/os CA Compliance Manager for z/os (CA Compliance Manager) provides your organization with a single source for real-time, compliancerelated
More informationPCI DSS, z/os and Keeping You from Becoming a News Headline
PCI DSS, z/os and Keeping You from Becoming a News Headline Charles Mills CorreLog, Inc. March 13, 2012 Session #11089 Copyright and Trademarks Copyright 2012 CorreLog, Inc. Trademarks CorreLog is a registered
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 17 IT Security Controls, Plans and Procedures First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Implementing IT Security
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationSecurity Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions
Security Awareness For Server Administrators State of Illinois Central Management Services Security and Compliance Solutions Purpose and Scope To present a best practice approach to securing your servers
More informationDigital Certificate Goody Bags on z/os
Digital Certificate Goody Bags on z/os Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 6 th, 2012 Session 11623 Agenda What is a Digital Certificate?
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationPenetration Testing Services. Demonstrate Real-World Risk
Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More informationStu Henderson s Clear Explanation of Effective z/os Security Auditing
Stu Henderson s Clear Explanation of Effective z/os Security Auditing (A Brief Description of the Steps to a Proven Practical Audit Program, Without Much Technical Detail) Stu Henderson The Henderson Group
More informationPrinciples of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance
Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing
More informationHow To Manage A System Vulnerability Management Program
System Vulnerability Management Definitions White Paper October 12, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows
More informationFTP is Free, but Can You Really Afford It?
STERLING COMMERCE WHITE PAPER FTP is Free, but Can You Really Afford It? A closer look at the total cost of the operation of freeware FTP Introduction File Transfer Protocol (FTP) is a widely used data-movement
More informationDatabase security issues PETRA BILIĆ ALEXANDER SPARBER
Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information
More informationSession 2826 February 2001. Stop those Unnecessary IPLS: The Dynamic OS/390 Functions
Stop those Unnecessary IPLS: The Dynamic OS/390 Functions Kenneth.Tomiak@Schunk-Associates.com March 6, 2002 Session 2859 1 Trademarks and Copyrights Trademarks and Registered trademarks used in this presentation
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationCA Deliver r11.7. Business value. Product overview. Delivery approach. agility made possible
PRODUCT SHEET CA Deliver agility made possible CA Deliver r11.7 CA Deliver is an online report management system that provides you with tools to manage and reduce the cost of report distribution. Able
More informationCA TPX Session Management r5.3
PRODUCT SHEET CA TPX Session Management CA TPX Session Management r5.3 CA TPX Session Management (CA TPX) helps you manage user menus for accessing VTAM applications on the mainframe while offering end
More informationTop 10 Database. Misconfigurations. mtrinidad@appsecinc.com
Top 10 Database Vulnerabilities and Misconfigurations Mark Trinidad mtrinidad@appsecinc.com Some Newsworthy Breaches From 2011 2 In 2012.. Hackers carry 2011 momentum in 2012 Data theft, hacktivism, espionage
More informationLEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS
1 LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS Te-Shun Chou and Tijjani Mohammed Department of Technology Systems East Carolina University chout@ecu.edu Abstract
More informationIBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations
Redpaper IBM Security Key Lifecycle Manager for z/os: Deployment and Migration Considerations Axel Buecker William C. Johnston Overview This IBM Redpaper publication discusses IBM Security Key Lifecycle
More informationIT Security Standard: Computing Devices
IT Security Standard: Computing Devices Revision History: Date By Action Pages 09/30/10 ITS Release of New Document Initial Draft Review Frequency: Annually Responsible Office: ITS Responsible Officer:
More informationIS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection
IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection Description Lab flow At the end of this lab, you should be able to Discover how to harness the power and capabilities
More informationInfoSec Myths Debunked:
Whitepaper InfoSec Myths Debunked: Mainframes are invulnerable and File Integrity Monitoring per the PCI DSS is only for Windows/UNIX. The first signs of intrusion could be in modifications to operating
More informationRACF PERFORMANCE TUNING
SHARE - August 2010 Robert S. Hansel Lead RACF Specialist - RSH Consulting, Inc. R.Hansel@rshconsulting.com - 617-969-9050 - www.rshconsulting.com 1 RSH PRESENTER Robert S. Hansel is Lead RACF Specialist
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationIBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance
IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security
More informationSession 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness
Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber
More informationIs your Web Application. "Hacking Proof"?
w Hackers Locked Security Testing Services v Is your Web Application Hackers Locked Security Testing Services "Hacking Proof"? Hackers Locked Penettrattiion Testtiing Serviices www.hackerslocked.com HL
More informationprivileged identities management best practices
privileged identities management best practices abstract The threat landscape today requires continuous monitoring of risks be it industrial espionage, cybercrime, cyber-attacks, Advanced Persistent Threat
More informationWelcome to today's webinar: How to Transform RMF & SMF into Availability Intelligence
Welcome to today's webinar: How to Transform RMF & SMF into Availability Intelligence The presentation will begin shortly Session Abstract: How to Transform RMF & SMF into Availability Intelligence It
More informationINTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:
PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration
More informationCSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO
CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO 2009 by Lieberman Software Corporation. Rev 20090921a Identity Management Definitions
More informationPowerSC Tools for IBM i
PowerSC Tools for IBM i A service offering from IBM Systems Lab Services PowerSC Tools for IBM i PowerSC Tools for IBM i helps clients ensure a higher level of security and compliance Client Benefits Simplifies
More informationr12 Overview Business value
PRODUCT SHEET CA 1 Tape Management CA 1 Tape Management r12 CA 1 Tape Management r12 (CA 1) provides for the management, control, and protection of z/os tape data sets and volumes. CA 1 integrates with
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationCA Products for z/vm Old Dogs with New Tricks
CA Products for z/vm Old Dogs with New Tricks Yvonne DeMeritt Sr. Sustaining Engineer CA Objective -Provide information on CA s z/vm product offerings that are available to assist you in meeting your z/vm
More informationTop Ten Security Vulnerabilities in z/os Security
Top Ten Security Vulnerabilities in z/os Security John Hilman Vanguard Professional Services 1 The Issues Is your mainframe critical to your enterprise? Is it central to your Disaster Recover Plan Does
More informationApplication Backup and Restore using Fast Replication Services. Ron Ratcliffe rratcliffe@rocketsoftware.com March 13, 2012 Session Number 10973
Application Backup and Restore using Fast Replication Services Ron Ratcliffe rratcliffe@rocketsoftware.com March 13, 2012 Session Number 10973 Session Agenda What is IBM Tivoli Advanced Backup and Recovery
More informationNational Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...
NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area
More informationCertification Report
Certification Report EAL 4+ Evaluation of Netezza Performance Server v4.6.5 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationCA Chorus for Security and Compliance Management
CA Chorus for Security and Compliance Management Site Preparation Guide Version 03.0.00, Fifth Edition This Documentation, which includes embedded help systems and electronically distributed materials,
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationFORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
More informationInformation Security: A Perspective for Higher Education
Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose
More informationConfiguring and Tuning SSH/SFTP on z/os
Configuring and Tuning SSH/SFTP on z/os Kirk Wolf / Steve Goetze Dovetailed Technologies info@dovetail.com dovetail.com Monday, March 10, 2014, 1:30PM Session: 14787 www.share.org Session Info/Eval link
More informationFacilitating Efficient Data Management by Craig S. Mullins
Facilitating Efficient Data Management by Craig S. Mullins Most modern applications utilize database management systems (DBMS) to create, store and manage business data. The DBMS software enables end users
More informationOFFICE OF INSPECTOR GENERAL. Audit Report
OFFICE OF INSPECTOR GENERAL Audit Report Audit of the Railroad Retirement Board s Medicare Major Application System Report No. 09-06 September 30, 2009 RAILROAD RETIREMENT BOARD TABLE OF CONTENTS Introduction
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationAdvanced Web Security, Lab
Advanced Web Security, Lab Web Server Security: Attacking and Defending November 13, 2013 Read this earlier than one day before the lab! Note that you will not have any internet access during the lab,
More information